search

keyboard_tab Digital Governance Act 2022/0868 EN

 BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf

2022/0868 EN cercato: 'board' . Output generated live by software developed by IusOnDemand srl


expand index board:

    CHAPTER I
    General provisions

    CHAPTER II
    Re-use of certain categories of protected data held by public sector bodies
  • 1 Art. 2 Definitions

    • CHAPTER III
    Requirements applicable to data intermediation services

    CHAPTER IV
    Data altruism

    CHAPTER V
    Competent authorities and procedural provisions

    CHAPTER VI
    European Data Innovation board

    CHAPTER VII
    International access and transfer

    CHAPTER VIII
    Delegation and committee procedure

    CHAPTER IX
    Final and transitional provisions


whereas board:


definitions:


cloud tag: and the number of total unique words without stopwords is: 649

 

Article 1

Subject matter and scope

1.   This Regulation lays down:

(a)

conditions for the re-use, within the Union, of certain categories of data held by public sector bodies;

(b)

a notification and supervisory framework for the provision of data intermediation services;

(c)

a framework for voluntary registration of entities which collect and process data made available for altruistic purposes; and

(d)

a framework for the establishment of a European Data Innovation board.

2.   This Regulation does not create any obligation on public sector bodies to allow the re-use of data, nor does it release public sector bodies from their confidentiality obligations under Union or national law.

This Regulation is without prejudice to:

(a)

specific provisions in Union or national law regarding the access to or re-use of certain categories of data, in particular with regard to the granting of access to and disclosure of official documents; and

(b)

the obligations of public sector bodies under Union or national law to allow the re-use of data or to requirements related to processing of non-personal data.

Where sector-specific Union or national law requires public sector bodies, data intermediation services providers or recognised data altruism organisations to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union or national law shall also apply. Any such specific additional requirements shall be non-discriminatory, proportionate and objectively justified.

3.   Union and national law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation is without prejudice to Regulations (EU) 2016/679 and (EU) 2018/1725 and Directives 2002/58/EC and (EU) 2016/680, including with regard to the powers and competences of supervisory authorities. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data shall prevail. This Regulation does not create a legal basis for the processing of personal data, nor does it affect any of the rights and obligations set out in Regulations (EU) 2016/679 or (EU) 2018/1725 or Directives 2002/58/EC or (EU) 2016/680.

4.   This Regulation is without prejudice to the application of competition law.

5.   This Regulation is without prejudice to the competences of the Member States with regard to their activities concerning public security, defence and national security.

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording;

(2)

re-use’ means the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;

(3)

‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;

(4)

‘non-personal data’ means data other than personal data;

(5)

consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;

(6)

permission’ means giving data users the right to the processing of non-personal data;

(7)

data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;

(8)

data holder’ means a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data;

(9)

data user’ means a natural or legal person who has lawful access to certain personal or non-personal data and has the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non-commercial purposes;

(10)

data sharing’ means the provision of data by a data subject or a data holder to a data user for the purpose of the joint or individual use of such data, based on voluntary agreements or Union or national law, directly or through an intermediary, for example under open or commercial licences subject to a fee or free of charge;

(11)

data intermediation service’ means a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:

(a)

services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;

(b)

services that focus on the intermediation of copyright-protected content;

(c)

services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;

(d)

data sharing services offered by public sector bodies that do not aim to establish commercial relationships;

(12)

processing’ means processing as defined in Article 4, point (2), of Regulation (EU) 2016/679 with regard to personal data or Article 3, point (2), of Regulation (EU) 2018/1807 with regard to non-personal data;

(13)

access’ means data use, in accordance with specific technical, legal or organisational requirements, without necessarily implying the transmission or downloading of data;

(14)

main_establishment’ of a legal person means the place of its central administration in the Union;

(15)

‘services of data cooperatives’ means data intermediation services offered by an organisational structure constituted by data subjects, one-person undertakings or SMEs who are members of that structure, having as its main objectives to support its members in the exercise of their rights with respect to certain data, including with regard to making informed choices before they consent to data processing, to exchange views on data processing purposes and conditions that would best represent the interests of its members in relation to their data, and to negotiate terms and conditions for data processing on behalf of its members before giving permission to the processing of non-personal data or before they consent to the processing of personal data;

(16)

data altruism’ means the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest;

(17)

public_sector_body’ means the State, regional or local authorities, bodies_governed_by_public_law or associations formed by one or more such authorities, or one or more such bodies_governed_by_public_law;

(18)

bodies_governed_by_public_law’ means bodies that have the following characteristics:

(a)

they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;

(b)

they have legal personality;

(c)

they are financed, for the most part, by the State, regional or local authorities, or other bodies_governed_by_public_law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies_governed_by_public_law;

(19)

public_undertaking’ means any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purposes of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:

(a)

hold the majority of the undertaking’s subscribed capital;

(b)

control the majority of the votes attaching to shares issued by the undertaking;

(c)

can appoint more than half of the undertaking’s administrative, management or supervisory body;

(20)

‘secure processing environment’ means the physical or virtual environment and organisational means to ensure compliance with Union law, such as Regulation (EU) 2016/679, in particular with regard to data subjects’ rights, intellectual property rights, and commercial and statistical confidentiality, integrity and accessibility, as well as with applicable national law, and to allow the entity providing the secure processing environment to determine and supervise all data processing actions, including the display, storage, download and export of data and the calculation of derivative data through computational algorithms;

(21)

legal_representative’ means a natural or legal person established in the Union explicitly designated to act on behalf of a data intermediation services provider or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in addition to or instead of the data intermediation services provider or entity with regard to the obligations under this Regulation, including with regard to initiating enforcement proceedings against a non-compliant data intermediation services provider or entity not established in the Union.

CHAPTER II

Re-use of certain categories of protected data held by public sector bodies

Article 25

European data altruism consent form

1.   In order to facilitate the collection of data based on data altruism, the Commission shall adopt implementing acts establishing and developing a European data altruism consent form, after consulting the European Data Protection board, taking into account the advice of the European Data Innovation board and duly involving relevant stakeholders. The form shall allow the collection of consent or permission across Member States in a uniform format. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 33(2).

2.   The European data altruism consent form shall use a modular approach allowing customisation for specific sectors and for different purposes.

3.   Where personal data are provided, the European data altruism consent form shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation in compliance with the requirements of Regulation (EU) 2016/679.

4.   The form shall be available in a manner that can be printed on paper and is easily understandable as well as in an electronic, machine-readable form.

CHAPTER V

Competent authorities and procedural provisions

Article 28

Right to an effective judicial remedy

1.   Notwithstanding any administrative or other non-judicial remedies, any affected natural and legal persons shall have the right to an effective judicial remedy with regard to legally binding decisions referred to in Article 14 taken by the competent authorities for data intermediation services in the management, control and enforcement of the notification regime for data intermediation services providers and legally binding decisions referred to in Articles 19 and 24 taken by the competent authorities for the registration of data altruism organisations in the monitoring of recognised data altruism organisations.

2.   Proceedings pursuant to this Article shall be brought before the courts or tribunals of the Member State of the competent authority for data intermediation services or the competent authority for the registration of data altruism organisations against which the judicial remedy is sought individually or, where relevant, collectively by the representatives of one or more natural or legal persons.

3.   Where a competent authority for data intermediation services or a competent authority for the registration of data altruism organisations fails to act on a complaint, any affected natural and legal persons shall, in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise.

CHAPTER VI

European Data Innovation board

Article 29

European Data Innovation board

1.   The Commission shall establish a European Data Innovation board in the form of an expert group, consisting of representatives of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations of all Member States, the European Data Protection board, the European Data Protection Supervisor, ENISA, the Commission, the EU SME Envoy or a representative appointed by the network of SME envoys, and other representatives of relevant bodies in specific sectors as well as bodies with specific expertise. In its appointments of individual experts, the Commission shall aim to achieve gender and geographical balance among the members of the expert group.

2.   The European Data Innovation board shall consist of at least the following three subgroups:

(a)

a subgroup composed of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations, with a view to carrying out the tasks pursuant to Article 30, points (a), (c), (j) and (k);

(b)

a subgroup for technical discussions on standardisation, portability and interoperability pursuant to Article 30, points (f) and (g);

(c)

a subgroup for stakeholder involvement composed of relevant representatives from industry, research, academia, civil society, standardisation organisations, relevant common European data spaces and other relevant stakeholders and third parties advising the European Data Innovation board on tasks pursuant to Article 30, points (d), (e), (f), (g) and (h).

3.   The Commission shall chair the meetings of the European Data Innovation board.

4.   The European Data Innovation board shall be assisted by a secretariat provided by the Commission.

Article 30

Tasks of the European Data Innovation board

The European Data Innovation board shall have the following tasks:

(a)

to advise and assist the Commission with regard to developing a consistent practice of public sector bodies and competent bodies referred to in Article 7(1) in handling requests for the re-use of the categories of data referred to in Article 3(1);

(b)

to advise and assist the Commission with regard to developing a consistent practice for data altruism across the Union;

(c)

to advise and assist the Commission with regard to developing a consistent practice of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in the application of requirements applicable to data intermediation services providers and recognised data altruism organisations;

(d)

to advise and assist the Commission with regard to developing consistent guidelines on how to best protect, in the context of this Regulation, commercially sensitive non-personal data, in particular trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that risks intellectual property theft or industrial espionage;

(e)

to advise and assist the Commission with regard to developing consistent guidelines for cybersecurity requirements for the exchange and storage of data;

(f)

to advise the Commission, in particular taking into account the input from standardisation organisations, on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing between emerging common European data spaces, cross-sectoral comparison and exchange of best practices with regard to sectoral requirements for security and access procedures, taking into account sector-specific standardisation activities, in particular clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral;

(g)

to assist the Commission, in particular taking into account the input from standardisation organisations, in addressing fragmentation of the internal market and the data economy in the internal market by enhancing cross-border, cross-sector interoperability of data as well as data sharing services between different sectors and domains, building on existing European, international or national standards, inter alia with the aim of encouraging the creation of common European data spaces;

(h)

to propose guidelines for common European data spaces, namely purpose- or sector-specific or cross-sectoral interoperable frameworks of common standards and practices to share or jointly process data for, inter alia, the development of new products and services, scientific research or civil society initiatives, such common standards and practices taking into account existing standards, complying with the competition rules and ensuring non-discriminatory access to all participants, for the purpose of facilitating data sharing in the Union and reaping the potential of existing and future data spaces, addressing, inter alia:

(i)

cross-sectoral standards to be used and developed for data use and cross-sector data sharing, cross-sectoral comparison and exchange of best practices with regard to sectoral requirements for security and access procedures, taking into account sector-specific standardisation activities, in particular clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral;

(ii)

requirements to counter barriers to market entry and to avoid lock-in effects, for the purpose of ensuring fair competition and interoperability;

(iii)

adequate protection for lawful data transfers to third countries, including safeguards against any transfers prohibited by Union law;

(iv)

adequate and non-discriminatory representation of relevant stakeholders in the governance of common European data spaces;

(v)

adherence to cybersecurity requirements in accordance with Union law;

(i)

to facilitate cooperation between Member States with regard to setting harmonised conditions allowing for the re-use of the categories of data referred to in Article 3(1) held by public sector bodies across the internal market;

(j)

to facilitate cooperation between competent authorities for data intermediation services and competent authorities for the registration of data altruism organisations through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to the notification procedure for data intermediation services providers and the registration and monitoring of recognised data altruism organisations, including coordination with regard to the setting of fees or penalties, as well as facilitate cooperation between competent authorities for data intermediation services and competent authorities for the registration of data altruism organisations with regard to international access and transfer of data;

(k)

to advise and assist the Commission with regard to evaluating whether the implementing acts referred to in Article 5(11) and (12) are to be adopted;

(l)

to advise and assist the Commission with regard to developing the European data altruism consent form in accordance with Article 25(1);

(m)

to advise the Commission on improving the international regulatory environment for non-personal data, including standardisation.

CHAPTER VII

International access and transfer

Article 34

Penalties

1.   Member States shall lay down the rules on penalties applicable to infringements of the obligations regarding transfers of non-personal data to third countries pursuant to Article 5(14) and Article 31, the notification obligation of data intermediation services providers pursuant to Article 11, the conditions for providing data intermediation services pursuant to Article 12 and the conditions for the registration as a recognised data altruism organisation pursuant to Articles 18, 20, 21 and 22, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. In their rules on penalties, Member States shall take into account the recommendations of the European Data Innovation board. Member States shall, by 24 September 2023, notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.

2.   Member States shall take into account the following non-exhaustive and indicative criteria for the imposition of penalties on data intermediation services providers and recognised data altruism organisations for infringements of this Regulation, where appropriate:

(a)

the nature, gravity, scale and duration of the infringement;

(b)

any action taken by the data intermediation services provider or recognised data altruism organisation to mitigate or remedy the damage caused by the infringement;

(c)

any previous infringements by the data intermediation services provider or recognised data altruism organisation;

(d)

the financial benefits gained or losses avoided by the data intermediation services provider or recognised data altruism organisation due to the infringement, insofar as such benefits or losses can be reliably established;

(e)

any other aggravating or mitigating factors applicable to the circumstances of the case.

whereas
keyboard_arrow_down